This chapter discusses risk management tools and techniques. It covers vulnerability scanning, penetration testing, and using security tools like protocol analyzers and logs to identify vulnerabilities, monitor networks, and ensure compliance. Vulnerability scanning identifies weaknesses without exploiting systems, while penetration testing more actively tries to compromise systems. Understanding risks and using the appropriate tools can help secure systems and protect confidential data.
3. Proprietary & Confidential
@GoCyberSec | January, 2020
Understanding Risk Management
• Risk
– Likelihood that a threat will exploit a vulnerability
• Vulnerabilities
– Weaknesses
• Threats
– Potential danger
• Impact
– Magnitude of harm
4. Proprietary & Confidential
@GoCyberSec | January, 2020
Threat
• Event that compromises confidentiality, integrity, or availability
– Malicious human threats
– Accidental human threats
– Environmental threats
5. Proprietary & Confidential
@GoCyberSec | January, 2020
Threat Assessment
• Helps identify and organize threats
• Attempts to identify:
– Potential threats
– Likelihood of threat (priority)
– Potential impact
– Security controls
6. Proprietary & Confidential
@GoCyberSec | January, 2020
Vulnerability
• Flaw or weakness (in software, hardware, or process)
–Lack of updates
–Default configurations
–Lack of up-to-date malware protection
–No firewall
–Lack of organizational policies
7. Proprietary & Confidential
@GoCyberSec | January, 2020
Risk Assessments
• Practice of identifying, monitoring, and limiting risks to a
manageable level
• Cannot eliminate risks
• Amount of risk that remains after managing risk is residual risk
8. Proprietary & Confidential
@GoCyberSec | January, 2020
Risk Response Techniques
Method Comments
Avoid Not participate in risky activity.
Transfer
Outsource. Purchase insurance.
Sometimes referred to as sharing risk.
Mitigate Implement controls to reduce risks. Antimalware
reduced risk from malware
Accept
Use if cost of control greater than the benefit.
Remaining risk is residual risk.
9. Proprietary & Confidential
@GoCyberSec | January, 2020
Risk Assessments
• First steps
–Identify assets and asset value
• Quantitative
–Uses specific monetary amounts to identify cost and asset values
• Qualitative
–Uses judgment to categorize risks based on probability and
impact
10. Proprietary & Confidential
@GoCyberSec | January, 2020
Quantitative Risk Assessment
• SLE (single loss expectancy)
–Cost of any single loss
• ARO (annual rate of occurrence)
–How many times the loss will occur annually
• ALE (annual loss expectancy)
–SLE × ARO
11. Proprietary & Confidential
@GoCyberSec | January, 2020
Quantitative Risk Assessment
• Laptop cost $2,000
• Employees lose one a month
–What is SLE?
–What is ARO?
–What is ALE?
• Formulas
–ALE = SLE × ARO
–ARO = ALE / SLE
–SLE = ALE / ARO
12. Proprietary & Confidential
@GoCyberSec | January, 2020
Qualitative Risk Assessment
• Likelihood of occurrence
–Probability that an event will occur
–Probability that a threat will attempt to exploit a vulnerability
• Impact
–Magnitude of harm resulting from a risk
–Negative result of the event
–Loss of confidentiality, integrity, or availability of a system or
data
13. Proprietary & Confidential
@GoCyberSec | January, 2020
Qualitative Risk Assessment
• Web server selling products on the Internet
–Probability of being attacked
–Impact
• Library computer
–Probability of being attacked
–Impact
14. Proprietary & Confidential
@GoCyberSec | January, 2020
Risk Assessments
• Documenting the assessment
• Results valuable
–Help organization evaluate threats and vulnerabilities
–Should be protected
–Only accessible to management and security professionals
15. Proprietary & Confidential
@GoCyberSec | January, 2020
Risk Register
• A record of information on identified risks
• A repository of information on risks
• Often recorded in a table
• Category
• Specific risk
• Likelihood
• Impact
• Risk score
• Security controls
• Contingencies
• Risk score (with controls)
• Action assigned to
• Action deadline
16. Proprietary & Confidential
@GoCyberSec | January, 2020
Supply Chain Assessment
• Supply chain
–Materials
–All the processes required to create and distribute a product
• Assessment evaluates these elements
–Identifies risks such as single point of failure
17. Proprietary & Confidential
@GoCyberSec | January, 2020
Checking for Vulnerabilities
• Determines the security posture of a system
• Identifies vulnerabilities and weaknesses
23. Proprietary & Confidential
@GoCyberSec | January, 2020
Vulnerability Scanning
• Identify vulnerabilities and misconfigurations
- Open ports
- Weak passwords
- Default accounts
- Sensitive data
- Security and configuration errors
• Passively test security controls
- Does not exploit vulnerabilities
24. Proprietary & Confidential
@GoCyberSec | January, 2020
Vulnerability Scanning
• Identify lack of security controls
- Systems without patches
- Systems without antivirus software
• False positive
- Scan detected a vulnerability
- But the vulnerability doesn’t actually exist
• False negative
- Vulnerability exists
- But the scan did not detect it
25. Proprietary & Confidential
@GoCyberSec | January, 2020
Vulnerability Scanning
• Credentialed scan vs. Non-credentialed scan
• Configuration compliance scans
• Obtaining authorization
- A penetration test can cause system instability
- Without consent you may be perceived as an attacker
26. Proprietary & Confidential
@GoCyberSec | January, 2020
Penetration Testing
• Assesses deployed security controls
• Determine the impact of a threat
• Starts with passive reconnaissance (such as a vulnerability scan)
• Follows with attempt to exploit vulnerabilities
27. Proprietary & Confidential
@GoCyberSec | January, 2020
Penetration Testing
• Passive reconnaissance
–Collects information
–Often uses open-source intelligence
• Active reconnaissance
–Uses tools to gather information
–Typically includes vulnerability and network scans
• Initial exploitation
–Exploits vulnerabilities
28. Proprietary & Confidential
@GoCyberSec | January, 2020
Penetration Testing
• Escalation of privilege
–Attempts to gain additional privileges
• Pivot
–Use exploited system to exploit other systems
• Persistence
–Take steps to retain presence on network
29. Proprietary & Confidential
@GoCyberSec | January, 2020
Penetration Testing
• Black box testing
–Testers have zero knowledge of the environment prior to the
test
–Often use fuzzing
• White box testing
–Testers have full knowledge of the environment
• Gray box testing
–Testers have some knowledge of the environment
30. Proprietary & Confidential
@GoCyberSec | January, 2020
Comparisons
• Vulnerability scanning
–Nonintrusive and passive
–Little impact on a system during a test
–Probes systems to identify vulnerabilities
–Does not take action to exploit vulnerabilities
• Penetration testing
–Intrusive and active
–Can potentially compromise a system
32. Proprietary & Confidential
@GoCyberSec | January, 2020
Using Security Tools
• Protocol analyzer (sniffer)
–Capture, display, and analyze packets sent over a network
–Can examine IP headers
• View protocols, flags, source and destination info
–Useful when troubleshooting communication problems
–Useful to detect manipulated or fragmented packets
–Can view unencrypted network traffic including passwords sent
in clear text
34. Proprietary & Confidential
@GoCyberSec | January, 2020
Monitoring Logs
• Operating system logs
–Continuously record information that can be useful in
troubleshooting and gaining information
–Application Log
–System log
–Security log
• Firewall and router access logs
35. Proprietary & Confidential
@GoCyberSec | January, 2020
Monitoring Logs
• Linux logs
• Antivirus logs
• Application logs
• Performance logs
• Review logs regularly
• Store logs in central location
–Provides protection against attacks
37. Proprietary & Confidential
@GoCyberSec | January, 2020
Auditing and Reviews
• Usage auditing and reviews
–Logs and identifies user actions
–Useful during investigations
• Permission auditing and review
–Ensures that users have only the access they need and no
more
–Ensures that inactive accounts are either disabled or deleted
Malicious code that attached itself to a host application
-host application must be executed to run
- Find other host application to infect by replication
- payloads delete files, random reboots
- join computer botnet